Jared Stein

How we're protecting privacy with the Canvas Skill for Alexa

Blog Post created by Jared Stein Employee on Aug 8, 2017


I've talked with some folks both f2f and in the Community about the new Canvas Skill for Alexa (included in our InstCon0017 Product Announcements) and how it might impact student privacy (e.g. FERPA in the USA). Privacy is a hot and important topic in modern society, so it's worth thinking it through deeply.

 

tl;dr

Normal usage of the Canvas Skill for Alexa will not violate student privacy laws or policies, primarily because students have choices in whether and how they use the Skill.

 

--

 

Before we get into the question of privacy, let me share some background on the Canvas Skill for Alexa:


How the Alexa Skill fits The Canvas Way


We want all users of Canvas to be free to access Canvas through the devices and services that are a natural and important part of their everyday lives. This is why we integrated Canvas Notifications with email, SMS, and social media services like Twitter, giving the users themselves choice over how Canvas uses those services. This is why we've been progressive with native mobile apps and integrations with Google Docs and Office 365. We live in a connected, integrated world, and we believe people will use Canvas more -- and subsequently be more engaged in teaching and learning -- if Canvas is also connected and integrated.

 

That's our philosophy, but we also are committed to protecting users privacy and helping customers adhere to laws or institutional policies as we design, develop, and deliver software. And I think that shows in how the Canvas Skill for Alexa works.


How it Works

As with every Canvas integration, Canvas passes only the minimum amount of data required to accomplish a user's request, when they make the request. Canvas does this securely and in a fashion that allows the user to revoke access to the third-party application at any time.

 

The Canvas Skill for Alexa is a new service that we've built and will maintain that acts as a "middleware" between Alexa and Canvas. When a user asks the Canvas Skill a question, that service asks Canvas via our existing open API. There aren't new, secret end-points, and there aren't direct hooks into Canvas. The Canvas Skill uses the same method of getting data from Canvas that our mobile apps use, and, indeed, many core Canvas functions use as well.


Student Privacy and FERPA

Does the Canvas Skill for Alexa violate student privacy laws, specifically FERPA in the US?

No. We can discuss different laws or privacy protections in different regions case-by-case, but I think FERPA is a great starting point. FERPA says that parents or eligible students have the right to...

  1. review the student's education records
  2. request that a school correct records
  3. approve the release of education records (with some exceptions)

 

The Canvas Skill for Alexa doesn't apply to 1 or 2, and does not (nor enable anyone else to) release education records without the student's express permission. We designed the Canvas Skill so that...

  • Users must both choose to use Alexa and also enable the Canvas Skill, making them the agents of any data exchange.
  • Users have the power to disable the Canvas Skill and even revoke the Canvas Skill's access to Canvas at any time.
  • Users have other options of accessing the same information without the Canvas Skill (browser, mobile, etc).

 

It's there that I know we come into some nuance, so let's explore a hypothetical scenario:

A student has an Echo and adds the Canvas Skill to their Alexa account. Anyone (roommates, friends, colleagues) who is in proximity of that Echo can then ask Canvas about that students' grades.

Yeah, this could happen. But though Alexa may be new technology, this hypothetical problem isn't itself new. And there are ways to avoid it:

 

On the one hand, I think it's fair to expect the owner of the Echo in that scenario to have thought about this on their own. If they are concerned about this, they can simply choose to not use the Canvas Skill for Alexa. If they've already enabled it, they can at any time disable it or revoke permissions.

 

Even if students do choose to use Alexa in that situation, there are options that can help students maintain control, e.g. using an alternate wake word, securing their Echo when others are around, even if just by muting the mic. 

 

I think the Alexa hypothetical is not very different from a student who has left their computer on and logged in to their campus portal in a place where others might see or access it. Let's go low-tech, too: Students may leave a printed copy of their transcript on their desk where others can see it. Have you ever walked into a Starbucks and seen a student looking at their grades on their laptop? That's a less likely scenario, perhaps, but one that deserves similar consideration.

 

In short, students have control over if and how Alexa is used. They also have the same personal responsibility to protect their data and information that they would with all other media. This is also why it's important -- for education staff, for institutions, even for teachers and students -- to engage with the companies and organizations that offer these services when we are concerned about how our data is being used. It's true that the Amazon Echo challenges us to think deeply about personal privacy how we interact with information and our online accounts. The way the world is changing, we need the kind of discussions we're having here : )

Outcomes